Malaysia's banking sector is in the midst of an artificial intelligence transformation, yet the adoption remains uneven and tempered by considerable caution when it comes to deploying the technology in high-consequence scenarios. A comprehensive study released by the Asian Institute of Chartered Bankers, conducted in partnership with Ecosystm and the AICB Chief Risk Officers' Forum, paints a picture of an industry experimenting boldly in low-risk domains while maintaining considerable reservations about entrusting machines with decisions that could materially affect customers, institutional risk profiles, and bottom-line performance.

The research drew responses from 87 senior leaders spanning commercial banks, digital-only institutions, Islamic banks, and development financial institutions across Malaysia. What emerged is a sector where technology adoption and institutional readiness have diverged. Banks and DFIs are indeed deploying AI across customer onboarding processes, fraud identification systems, anti-money laundering surveillance, counter-terrorism financing controls, and workplace productivity tools. Yet when researchers probed whether executives would actually rely on these systems to drive consequential decisions, the confidence threshold drops precipitously. Only one-quarter of respondents indicated sufficient trust in AI-generated outputs to use them as a basis for critical business judgments. This gap between experimental enthusiasm and operational trust suggests that Malaysian financial institutions recognise AI's potential while remaining deeply conscious of its limitations.

Edward Ling, the AICB's chief executive, articulated the sector's evolving mindset during the presentation of findings at the institute's 4th Malaysian Banking Conference and 2nd Bank Audit Conference. The conversation has shifted beyond whether AI belongs in banking toward a more mature question about institutional capability. Ling emphasised that the real challenge is whether banks possess the governance frameworks, ethical anchors, professional expertise, and supervisory discipline required to harness AI responsibly. This reframing reflects growing recognition that deploying AI systems without corresponding institutional maturity can create hidden vulnerabilities.

Chong Han Hwee, who chairs the AICB Chief Risk Officers' Forum and serves as group chief risk officer at RHB Malaysia, highlighted a particularly nuanced dimension of AI risk management in banking. Unlike traditional technology risks that concentrate within specific systems or departments, AI-related risks permeate entire operational ecosystems. Risk surfaces not only from the algorithms themselves but from the quality of underlying datasets feeding those algorithms, from how human users interact with AI outputs, from downstream business decisions informed by automated recommendations, and from how all these elements evolve as volumes and conditions change. This systemic complexity means that risk officers cannot simply audit a model and declare it safe; they must monitor dynamic, interconnected chains of causation.

The study's findings on institutional readiness reveal a sector distributed across a maturity spectrum, with concentration in middle stages. Roughly 44 per cent of surveyed banks and DFIs occupy the developing category—they have graduated beyond isolated pilots and experimentation, yet their capabilities remain fragmented across data infrastructure, workforce skills, and operational processes. A mere 15 per cent have achieved established readiness, and just 2 per cent have attained advanced status where AI has achieved full integration into decision-making architectures and contributes directly to competitive advantages. This distribution suggests that most Malaysian institutions still require substantial investment and reorganisation before AI can function as a transformative business lever.

Capability gaps extend across multiple dimensions. Strategic alignment represents a critical shortfall: only one-quarter of institutions have articulated a defined strategy that explicitly links AI initiatives to measurable business objectives. Meanwhile, 44 per cent are already developing custom AI solutions tailored to internal requirements, a phenomenon that creates organisational fragmentation and inhibits knowledge sharing across the sector. Solutions built independently by different banks often cannot be adapted elsewhere, and this redundancy wastes precious resources in an environment where specialised talent is scarce. The talent shortage itself constitutes a severe constraint, with 79 per cent of respondents reporting acute shortages of specialists with deep AI technical expertise. Only one-fifth of institutions have launched systematic efforts to cultivate AI literacy and decision-making confidence throughout their workforces, pointing to leadership and cultural adoption gaps.

Governance infrastructure represents perhaps the most troubling vulnerability. More than half of responding institutions continue to manage AI governance through fragmented, case-by-case approaches rather than deploying consistent, risk-calibrated frameworks. These ad hoc arrangements lack standardised protocols for determining which AI applications warrant intensive oversight, what approval authorities should be engaged, and which safeguards should be mandatory for different risk categories. Only one-third have constructed structured governance systems coupled with formal model risk management processes. Even more revealing, merely 27 per cent employ formal AI risk tiering protocols that would allow risk management teams to adjust oversight intensity based on application risk profiles. This governance fragmentation creates potential compliance blind spots and leaves institutions vulnerable to uncoordinated AI deployments that might violate regulatory expectations.

Sash Mukherjee, vice-president of industry insights at Ecosystm, identified emerging pressure points as financial institutions contemplate expanding AI into progressively riskier applications. As use cases migrate beyond customer service and transaction monitoring toward lending decisions, investment recommendations, and strategy formulation, stakeholders increasingly demand transparency about how models reach their conclusions, assurance that third-party AI vendors and components meet stringent standards, and guarantees that underlying data meets quality thresholds. The challenge facing Malaysia's regulatory and industry leadership is that regulatory frameworks, however well-intentioned, cannot keep pace with rapid technological evolution. Mukherjee advocated for sustained collaboration between financial institutions and supervisory authorities to ensure governance structures mature alongside technological capabilities.

These findings carry significant implications for Malaysia's financial sector as it navigates digital transformation. The banking industry cannot advance AI adoption through isolated technology initiatives; the ecosystem requires parallel development of strategic vision, organisational capabilities, governance systems, and regulatory clarity. The concentration of institutions in developing stages suggests a window of opportunity for sector-wide capacity building, knowledge standardisation, and collaborative framework development. Without coordinated action, individual banks will continue investing redundantly in custom solutions while their workforces lack foundational AI competency. The 25 per cent confidence threshold in AI-generated decisions for high-stakes scenarios underscores that trust in automation cannot be assumed or imposed; it must be earned through demonstrated reliability, transparency, and alignment with institutional risk tolerance.